diff --git a/eacl/validator_test.go b/eacl/validator_test.go index 4cae3641..f02857a8 100644 --- a/eacl/validator_test.go +++ b/eacl/validator_test.go @@ -4,9 +4,47 @@ import ( "math/rand" "testing" + cid "github.com/nspcc-dev/neofs-sdk-go/container/id" "github.com/stretchr/testify/require" + "go.uber.org/zap/zaptest" ) +func TestOperationMatch(t *testing.T) { + tgt := NewTarget() + tgt.SetRole(RoleOthers) + + t.Run("single operation", func(t *testing.T) { + tb := NewTable() + tb.AddRecord(newRecord(ActionDeny, OperationPut, tgt)) + tb.AddRecord(newRecord(ActionAllow, OperationGet, tgt)) + + v := newValidator(t, tb) + vu := newValidationUnit(RoleOthers, nil) + + vu.op = OperationPut + require.Equal(t, ActionDeny, v.CalculateAction(vu)) + + vu.op = OperationGet + require.Equal(t, ActionAllow, v.CalculateAction(vu)) + }) + + t.Run("unknown operation", func(t *testing.T) { + tb := NewTable() + tb.AddRecord(newRecord(ActionDeny, OperationUnknown, tgt)) + tb.AddRecord(newRecord(ActionAllow, OperationGet, tgt)) + + v := newValidator(t, tb) + vu := newValidationUnit(RoleOthers, nil) + + // TODO discuss if both next tests should result in DENY + vu.op = OperationPut + require.Equal(t, ActionAllow, v.CalculateAction(vu)) + + vu.op = OperationGet + require.Equal(t, ActionAllow, v.CalculateAction(vu)) + }) +} + func TestTargetMatches(t *testing.T) { pubs := makeKeys(t, 3) @@ -48,6 +86,28 @@ func makeKeys(t *testing.T, n int) [][]byte { return pubs } +func newRecord(a Action, op Operation, tgt ...*Target) *Record { + r := NewRecord() + r.SetAction(a) + r.SetOperation(op) + r.SetTargets(tgt...) + return r +} + +type dummySource struct { + tb *Table +} + +func (d dummySource) GetEACL(*cid.ID) (*Table, error) { + return d.tb, nil +} + +func newValidator(t *testing.T, tb *Table) *Validator { + return NewValidator( + WithLogger(zaptest.NewLogger(t)), + WithEACLSource(dummySource{tb})) +} + func newValidationUnit(role Role, key []byte) *ValidationUnit { return &ValidationUnit{ role: role,